Cryptocurrency Laundering Test

Addresses identified as belonging to North Korean hackers have laundered $200,000 worth of cryptocurrency through MetaMask. This type of swap comes with high fees, but it can be an exit point for hackers.

A list of addresses linked to past North Korean hacker exploits has emerged in a series of MetaMask swaps. The addresses exchanged just $200,000 worth of crypto assets, leaving $1,985 in swap fees. The MetaMask router is among the high-fee tools for swapping cryptocurrencies, but it can be fast and hackers can access it to hide the origin of funds or avoid token freezes.

Although the amount was small, the event itself was ominous, given the perception that North Korean hackers were not trading, but testing. Hacking activity slowed in the second half of 2024, but there were still signs of mixing and attempts to hide funds.

The MetaMask discovery follows another episode of hacker addresses using Web3 services, DEXs, and the wallet’s native router. Incoming flows from hacker addresses on the Hyperliquid bridge were discovered. The DEX perpetual futures were not exploited in any way, but the event was also seen as a test of moving funds. Some believe that Hyperliquid is still vulnerable, given the limited checkpoints that can be exploited.

MetaMask itself has not been hacked and remains a secure wallet, barring personal errors. Taylor Monahan, @tayvano, also noted that the wallet has been targeted in multiple ways by North Korean hackers, who are always looking for ways to unlock stored cryptocurrency.

“MetaMask has always been concerned… We track the DPRK carefully because it represents the single biggest threat to crypto businesses. We also track all the other actors threatening cryptocurrencies before the DPRK being the biggest but not the only threat.”

The list of wallets that use MetaMask swaps also has a long history of using various decentralized protocols. The wallets are swapped between Ethereum (ETH) and stablecoins USDT and USDC.

Both stablecoins are, in theory, staking assets, but especially USDC. For this reason, wallets are always switching back to ETH or other tokens, or moving to the Arbitrum chain for some task. Wallets never hold a USDC balance for long, despite the very active use of the token.

Both addresses were very active, interacting with ENS accounts, OpenSea users, and web3 protocols. Swaps continued for the past few hours, and the main task was again to move funds on a relatively small scale.

The wallet and its peers’ activities are connected to some of the most active modern protocols, tokens, non-fungible tokens (NFTs), and other assets. However, most of the activity revolves around swapping for stablecoins as a temporary step.

Recent swaps have been relatively simple, with transactions under $500. However, some wallet counterparties have shown interactions with DEXs and DeFi hubs, often dealing with Hyperliquid.

The alleged hacker’s wallet logs also contain interactions with Hyperliquid from the past few hours and days. The protocol has not been directly attacked at this time, but some see it as another tool for mixing funds or trading to hide the origin of tokens. The Hyperliquid bridge is the biggest concern for attacks, as the value of the hub has grown significantly. The bridge holds over $2 billion, and it may not be secure, according to @tayvano.

At this time, there is no other direct link between MetaMask Swap and a potential bridge attack. MetaMask swaps may be part of the general activity of moving between assets with minimal trac.